Disclaimer
I have no malice towards Mojang, nor do I condone the illegitimate distribution of capes, which were created to be a cool thing for Minecraft community members and event atendees. However, it’s been almost a year since this was reported, and I’m done trying to contact them.
Overview
After waiting almost a year for Minecraft’s creators(Mojang AB) to respond to my bug report past an initial message, I have come to the conclusion that they do not feel this issue to be of importance. Because of this, I am now disclosing this issue to the general public.
Capes are one of the most highly coveted things available in-game in Minecraft. Just to give you an idea of how coveted these items are, there are currently listings on EBay for the least rare variant of this item going for around ~$300. Additionally, Mojang, creators of Minecraft, have explicitly forbidden giving away capes in their Q/A post on server monitization. The design flaw detailed here allows server owners or plugin developers to partially bypass the skin and cape verification system.
Skin system
The Mojang skin/texture system is decently simple. An initial request is sent to https://sessionserver.mojang.com/session/minecraft/profile/{uuid} where {uuid} is the user in question’s id. Mojang responds with something like this:
The field, “textures”, contains a base64-encoded string that contains skin and cape URLs. Previously, servers were able to modify this data when it was relayed to the client. However, the client now checks the provided RSA signature to ensure it has not been modified. This should, ideally, prevent people from modifying the data Mojang initially signed.
Vulnerability Details
How do you change something that’s realistically unmodifiable? Luckily, we don’t need to. Though included, Mojang fails to verify the date at which the data was generated. This means that any data signed is valid forever. There’s two possible scenarios in which this exploitable. One is during a promotional event. A good example of this was the release of Mojang’s game Scrolls, where capes were issued to all users. If a user had stored their data from this event, they would be able to relay it after the event had ended. A second vector, which is far more probable, is that a user with a cape issued to them would temporarily modify their skin. After changing the image linked to the caped user, Mojang will then sign the data containing that skin and cape, which will then be accepted by clients as valid forever. The caped user can then change their skin back to its original state and relay the previously generated data for another user to give them a cape.
PoC
https://github.com/Plazmaz/CapeGiver
Disclosure timeline
- July 4th, 2015: Initial report at Minecon 2015, was asked to send email
- July 8th, 2015: Reported via email with suggested patches: https://gist.github.com/Plazmaz/320e15309ef0b2b6c904 https://gist.github.com/Plazmaz/9e89bae9353d84fa5c67
- July 10th, 2015: Recieved response via email asking that I report it via the bug tracker
- July 10th, 2015: Created bug MC-82231 as per request and replied to email with bug ID, no response
- July 22nd, 2015: Requested status update on the bug and updated suggested patch via email, no response
- February 24th, 2016: Contacted Mojang support to ensure they had recieved my emails.
- February 25th, 2016: Mojang claimed to have replied to the emails, but after checking all inboxes(including spam), I was unable to find their reply. I then asked that the emails be resent or a summary be provided.
- February 26th, 2016: Mojang support responded: “Unfortunately, we’re unable to help you with this issue as this help center is limited mostly to accounts and billing.”, then later linked me the bug tracker.
- March 21st, 2016: Wrote blog post stating frustration about Mojang’s response to bugs with no specific vulnerability information included
- March 21st, 2016: Recieved response from volunteer JIRA moderator stating he would relay the issue to Mojang
- May 16th, 2016: Responded to bug report prompting for input, no response
- June 22nd, 2016: Notified of pending disclosure without comment from Mojang within 48 hours
- June 25th, 2016: Disclosure